During his keynote session at Thursday’s Infosecurity Canada 2008 conference in Toronto, Dave Tyson, the online auction giant’s senior director of information security operations and business continuity planning, said that companies which have strong interactions with customers over the Internet will be the most sought-after target for hackers.

“If you’re a product or services-based company and you want to interact with your customers with greater functionality, attacks at the application layer will be an emerging problem for you,” he said. “We’ve found that most companies are prepared at the network level, but they haven’t put the strategies and budget in place for these new threats.”

In an application layer attack, hackers could be looking to hijack user accounts to get passwords and other personal information, gain administrative privileges on client/server machines, gain root access to execute malicious commands, or install Trojans and Backdoors to wipe out or destroy applications.

“The thing that really keeps me up at night is the speed of sophistication of these attacks, where things we saw six months ago still haven’t been taken hold in the general community,” he said.

According to Tyson, application layer attacks can easily hinder the trust relationship your company has with its clients. He cited the example of last year’s Bayrob Trojan horse, which was capable of establishing a proxy server in a victim’s computer and using it to steal sensitive data.

“It was distributed by e-mail, so the user gets a link that looks like it’s coming from your company,” Tyson said. “The trouble is, when you click the link, it downloads Apache Web Server and puts up a copy of your Web site. So, the user thinks they’re conducting business with you, but they are actually working with the bad guys.”

The increasing sophistication of botnets, he said, is another major concern for application layer security.

“You might have 200,000 botnets looking for interactions between your customers,” Tyson said. “They’ll pick up your user IDs, then pound away to do logins with them. If you have a system that locks out users after a few tries, every customer you have could be locked out of your site. If you’re a bank, that’s a problem.”

To protect against the fast moving world of security attacks out there, he said security executives will need to bake security principles right into the infrastructure. Often times, Tyson said, enterprises fail to follow fundamental security principles, like enabling the encryption technology for their Cisco switches or properly coding their Web sites to limit security holes.

“If people can run an SQL injection into your site, you’re going to be in trouble,” he said.

The Autoweb example

One company which found themselves in this kind of trouble earlier this year was U.K.-based advertising and marketing firm Autoweb. The attack exploited a vulnerability in a single line of Web application code to pierce through to the company’s Microsoft SQL database. It injected 30 characters to overwrite content, defaced Web pages, and ultimately knocked the site offline. The attack left Web pages that would attempt to inject malicious code into browsers of Web visitors.

How Autoweb had to fight to recover its site over the long weekend that followed shows how devastating SQL injection attacks can be. CIO Richard McCombe said nothing like this ever happened before to its Web site, which is hosted by a provider in Leeds, England. “We were struggling at that point to get the site back up,” he said.

Autoweb’s IT staff, who worked through the weekend, realized that database tables storing content provided by car dealers about their vehicles had been overwritten with a 30-character script. A look at log files showed the attacks, which continued to surge through the weekend, were originating from IP addresses in China. So Autoweb blocked them. “That gave us a window of opportunity,” McCombe said.

About a day’s worth of new Web content from car dealers had been corrupted in the SQL injection attacks, but Autoweb did a daily backup, so it turned to that for clean content, and began backing up each hour through the weekend. McCombe managed to find a Web development company to fix the Web application hole.

“It was a simple piece of code in the Web application,” McCombe said. As Autoweb began to put the nightmare of the massive SQL injection attack behind it, the impact was apparent.

“We were at 25,000 visits a day, now we’re at 20,000,” McCombe said. The site’s Google search ranking also took a significant hit.